[Ach] StartSSL for Business Sysadmins

Tobias Dussa (SCC) tobias.dussa at kit.edu
Tue Jan 14 09:09:07 CET 2014 

Hi,

On Mon, Jan 13, 2014 at 03:26:00PM +0100, Alexander Wuerstlein wrote:
> Physical security may be nice in general, but its beside the point. All
> your steel doors with two locks and stuff won't help if a) your software
> is faulty (please show me the CA that has its root cert completely and
> utterly offline, some HSM doesn't count)

That's easy: http://www.gridka.de/ca for starters.  And while I'm not entirely
certain, I do believe that all EUGridPMA-accredited CAs have to be strictly
offline.

> For everything else there are more trustworthy, systematically better
> alternatives like ssh- and GPG-keys. Or private, organisation-wide CAs,
> but with those there are still the generally weird problems with X.509
> itself.

So in what world are GPG and SSH better concepts?  Yes, they do provide the user
the theoretical possibility to do key verification in a more sensible way.  That
doesn't mean that people actually do that.  In fact, at this point, I'd say that
the vast majority of serious GPG users are somewhat concerned about their
privacy, certainly more so than the average, and even THESE people don't always
verify stuff properly.  Some do, and I certainly almost always do decent GPG key
verification (though there have been occasions when I was reasonably certain
that a given GPG key was authentic and the information to be passed was not
sufficiently important but time was critical, so I felt that was good enough for
the occasion), but SSH host key verification?  C'mon, who are you trying to
fool?  And I'm not even considering Joe R. Loser here as target audience, who
probably neither sufficiently grasps the concept nor gives a shit.  For those
people, SSH and GPG are simply worthless in terms of the security problems that
are being laid at X.509's feet.

The fact is that in the real world, there are trade-offs to be made between
valid security goals, usability, effort required (financial and otherwise), and
user acceptance.  In the end, fundamentalistic lines of reasoning are necessary
to create awareness and keep an audience, but at the end of the day those
simplistic views don't do anything to help improve security in practical terms,
which is what this project is about.

Cheers,
Toby.
-- 
Measure with a micrometer.  Mark with chalk.  Cut with an axe.

----

Karlsruhe Institute of Technology (KIT)
Steinbuch Centre for Computing (SCC)
KIT-CERT

Tobias Dussa
CERT Manager, CA Manager

Zirkel 2
Building 20.21
76131 Karlsruhe, Germany

Phone: +49 721 608-42479
Fax: +49 721 608-9-42479
Email: tobias.dussa at kit.edu
Web: http://www.kit.edu/

KIT – University of the State of Baden-Wuerttemberg and
National Laboratory of the Helmholtz Association

More information about the Ach mailing list